From b5905365128968468451a4bac4984495e2d247ca Mon Sep 17 00:00:00 2001
From: Bram Veenboer <bram.veenboer@gmail.com>
Date: Sun, 4 May 2025 12:30:35 +0200
Subject: [PATCH] Add nginx config files

---
 nginx/etc/nginx/conf.d/global.conf | 143 +++++++++++++++++++++++++++++
 nginx/etc/nginx/conf/proxy.conf    |  10 ++
 nginx/etc/nginx/conf/ssl-sub.conf  |  21 +++++
 nginx/etc/nginx/conf/ssl.conf      |  20 ++++
 nginx/etc/nginx/nginx.conf         |  36 ++++++++
 5 files changed, 230 insertions(+)
 create mode 100644 nginx/etc/nginx/conf.d/global.conf
 create mode 100644 nginx/etc/nginx/conf/proxy.conf
 create mode 100644 nginx/etc/nginx/conf/ssl-sub.conf
 create mode 100644 nginx/etc/nginx/conf/ssl.conf
 create mode 100644 nginx/etc/nginx/nginx.conf

diff --git a/nginx/etc/nginx/conf.d/global.conf b/nginx/etc/nginx/conf.d/global.conf
new file mode 100644
index 0000000..45c25b3
--- /dev/null
+++ b/nginx/etc/nginx/conf.d/global.conf
@@ -0,0 +1,143 @@
+server {
+    listen 80;
+
+    location / {
+        proxy_pass http://host:80;
+        include /etc/nginx/conf/proxy.conf;
+    }
+    location /transmission {
+        proxy_pass http://host:9091;
+        include /etc/nginx/conf/proxy.conf;
+    }
+    location /sonarr {
+        proxy_pass http://host:18989;
+        include /etc/nginx/conf/proxy.conf;
+    }
+    location /radarr {
+        proxy_pass http://host:17878;
+        include /etc/nginx/conf/proxy.conf;
+    }
+    location /lidarr {
+        proxy_pass http://host:18686;
+        include /etc/nginx/conf/proxy.conf;
+    }
+    location /bazarr {
+        proxy_pass http://host:16767;
+        include /etc/nginx/conf/proxy.conf;
+    }
+    location /jellyfin {
+        proxy_pass http://host:8097;
+        include /etc/nginx/conf/proxy.conf;
+    }
+    location /facette {
+        proxy_pass http://host:12003;
+        include /etc/nginx/conf/proxy.conf;
+    }
+    location /gitlab {
+        proxy_pass http://host:19080;
+        include /etc/nginx/conf/proxy.conf;
+    }
+    location /filebrowser {
+        proxy_pass http://host:8001;
+        include /etc/nginx/conf/proxy.conf;
+    }
+    location /plik {
+        proxy_pass http://host:8087;
+        include /etc/nginx/conf/proxy.conf;
+    }
+    location /droppy {
+        rewrite ^/droppy(.*)$ /$1 break;
+        proxy_pass http://host:19898;
+        include /etc/nginx/conf/proxy.conf;
+    }
+    location /ghost {
+        proxy_pass http://host:2368;
+        include /etc/nginx/conf/proxy.conf;
+    }
+    location /jackett {
+        proxy_pass http://host:9117;
+        include /etc/nginx/conf/proxy.conf;
+    }
+    location /dss {
+        proxy_pass http://host:10001;
+        include /etc/nginx/conf/proxy.conf;
+    }
+    location /pgsql {
+        proxy_pass http://host:5050;
+        include /etc/nginx/conf/proxy.conf;
+    }
+    location /registry {
+        proxy_pass http://host:1080;
+        include /etc/nginx/conf/proxy.conf;
+    }
+}
+
+server { # dsmr
+  listen 80;
+  server_name dsmr.bram.veenboer.xyz;
+  location / {
+    proxy_pass http://host:8888;
+    rewrite ^/dsmr(.*)$ $1 break;
+    include /etc/nginx/conf/proxy.conf;
+  }
+}
+
+server {
+  # homeassistant
+  listen 80;
+  server_name ha.bram.veenboer.xyz;
+  location / {
+      proxy_pass http://host:8123;
+      include /etc/nginx/conf/proxy.conf;
+  }
+}
+
+server { # esphome
+  listen 80;
+  server_name esp.bram.veenboer.xyz;
+  location / {
+      proxy_pass http://host:6052;
+      include /etc/nginx/conf/proxy.conf;
+  }
+}
+
+server {
+    # seafile
+    listen 80;
+    server_name seafile.bram.veenboer.xyz;
+    location / {
+        proxy_pass http://host:8082;
+        include /etc/nginx/conf/proxy.conf;
+        proxy_set_header X-Forwarded-Proto https;
+    }
+    #location /seafhttp {
+    #    rewrite ^/seafhttp(.*)$ $1 break;
+    #    proxy_pass http://host:8182;
+    #    include /etc/nginx/conf/proxy.conf;
+    #    proxy_set_header X-Forwarded-Proto https;
+    #    client_max_body_size 0;
+    #}
+    #location /seafdav {
+    #    proxy_pass http://host:8180;
+    #    include /etc/nginx/conf/proxy.conf;
+    #}
+}
+
+server { # grafana
+	listen 80;
+	server_name grafana.bram.veenboer.xyz;
+	location / {
+		proxy_pass http://host:3333;
+		include /etc/nginx/conf/proxy.conf;
+	}
+}
+
+server { # photoprism
+	listen 80;
+    server_name photoprism.bram.veenboer.xyz;
+    location / {
+        proxy_pass http://host:2342;
+        include /etc/nginx/conf/proxy.conf;
+    }
+}
+
diff --git a/nginx/etc/nginx/conf/proxy.conf b/nginx/etc/nginx/conf/proxy.conf
new file mode 100644
index 0000000..78a948d
--- /dev/null
+++ b/nginx/etc/nginx/conf/proxy.conf
@@ -0,0 +1,10 @@
+# Proxy
+proxy_redirect off;
+proxy_set_header Host $host;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header X-Forwarded-Ssl on;
+
+# Websocket
+proxy_http_version 1.1;
+proxy_set_header Upgrade $http_upgrade;
+proxy_set_header Connection $http_connection;
diff --git a/nginx/etc/nginx/conf/ssl-sub.conf b/nginx/etc/nginx/conf/ssl-sub.conf
new file mode 100644
index 0000000..924d493
--- /dev/null
+++ b/nginx/etc/nginx/conf/ssl-sub.conf
@@ -0,0 +1,21 @@
+# Enable SSL
+ssl_certificate /host/etc/certs/.bram.veenboer.online/certificate+intermediate.pem;
+ssl_certificate_key /host/etc/certs/.bram.veenboer.online/key.pem;
+ssl_dhparam /host/etc/certs/.bram.veenboer.online/dh.pem;
+
+# Increased security, from https://cipherli.st/
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_prefer_server_ciphers on;
+ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
+ssl_ecdh_curve secp384r1;
+ssl_session_cache shared:SSL:10m;
+ssl_session_tickets off;
+ssl_stapling on;
+ssl_stapling_verify on;
+resolver_timeout 5s;
+# add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
+add_header X-Frame-Options DENY;
+add_header X-Content-Type-Options nosniff;
+
+# Redirect HTTP trafic
+error_page 497 https://$host:$server_port$request_uri;
diff --git a/nginx/etc/nginx/conf/ssl.conf b/nginx/etc/nginx/conf/ssl.conf
new file mode 100644
index 0000000..5c14b9e
--- /dev/null
+++ b/nginx/etc/nginx/conf/ssl.conf
@@ -0,0 +1,20 @@
+# Enable SSL
+ssl_certificate /host/etc/certs/certificate+intermediate.pem;
+ssl_certificate_key /host/etc/certs/key.pem;
+ssl_dhparam /host/etc/certs/dh.pem;
+
+# Increased security, from https://cipherli.st/
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_prefer_server_ciphers on;
+ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
+ssl_ecdh_curve secp384r1;
+ssl_session_cache shared:SSL:10m;
+ssl_session_tickets off;
+ssl_stapling on;
+ssl_stapling_verify on;
+resolver_timeout 5s;
+add_header X-Frame-Options DENY;
+add_header X-Content-Type-Options nosniff;
+
+# Redirect HTTP trafic
+error_page 497 https://$host:$server_port$request_uri;
diff --git a/nginx/etc/nginx/nginx.conf b/nginx/etc/nginx/nginx.conf
new file mode 100644
index 0000000..457789e
--- /dev/null
+++ b/nginx/etc/nginx/nginx.conf
@@ -0,0 +1,36 @@
+user  nginx;
+worker_processes  1;
+
+error_log  /var/log/nginx/error.log warn;
+pid        /var/run/nginx.pid;
+
+
+events {
+    worker_connections  1024;
+}
+
+
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    #access_log  /var/log/nginx/access.log  main;
+
+    sendfile        on;
+    #tcp_nopush     on;
+
+    keepalive_timeout  65;
+
+    #gzip  on;
+
+    client_body_buffer_size 1000M;
+    client_max_body_size 5000M;
+
+    server_tokens off;
+	error_page 401 403 404 /404.html;
+    include /etc/nginx/conf.d/*.conf;
+}